This document describes how to set up and deploy a TLS-capable webserver inside a virtualized test environment.
Note about deployment: If you would rather do your assignment using a TLS-capable webserver other than Apache, go for it! If you are comfortable deploying on your own Amazon or Digital Ocean server and you'd rather do the assignment "for real," go for it. Just be sure to document what you did.
Note about Certbot-auto: Certbot is an amazing tool that can automatically configure your web server with responsible, security-conscious TLS settings. However the purpose of the assignment is to gain experience configuring your webserver's TLS configuration yourself.
First we need to setup an environment to do the assignment in. Because we're going to be making a few system changes, we strongly suggest you do the assignment in a virtual machine. That way you don't have to worry about messing up your system, or reverting any settings later. In particular we recommend using Virtual Box.
We'll be using Apache, but if you really want to, you can use another web server like nginx or lighttpd. But you'll be on your own to get it up and running.
You'll need a Linux installation. We tested the assignment in Ubuntu but your favourite up-to-date Linux disto should also work for this purpose. You can install it yourself, or there are some pre-installed VirtualBox images of Ubuntu available that will help you get up and running more quickly.
If you download one of these pre-installed .vdi's, just run Virtual Box -> New -> Name: Ubuntu (64-bit) -> Use an existing virtual hard disk file, and it will. Make sure everything's updated before proceeding by running
sudo apt-get update
You may also want to invest the time to install the VirtualBox guest additions which will make VirtualBox much easier to work with (e.g., allowing you to use full-screen and copy and paste between host and guest OS's).
You'll need to install a couple of programs if you haven't already:
sudo apt-get install apache2
This step involves modifying your OS setting to make TLS work locally and without us having pay for real certificates. You would not normally perform these steps when setting up a secure website, which is why we recommend doing it in a virtual machine.
First you will create a Root Certificate Authority (root CA). Create a key pair for your Root CA:
openssl genrsa -out fakerootca.key 4096
Generate Self-Signed RootCA certificate:
openssl req -x509 -new -nodes -key fakerootca.key -days 60 -out fakerootca.crt
Set the common name to "My Fake CA."
Next you will create a signing keypair for your website:
openssl genrsa -out mysite.key 4096
Now we create a certificate signing request (CSR):
openssl req -new -sha256 -key mysite.key -out mysite.csr
The Common Name is your website's domain name. For this exercise, use your Western email username e.g., if your email address was firstname.lastname@example.org, set the common name to www.aessex.com. OpenSSL will sign your CSR using your RSA keypair. Direct it to use SHA256:
This certificate signing request will now be used by your root CA to issue a certificate on your site's public verification key:
openssl x509 -req -in mysite.csr -CA fakerootca.crt -CAkey fakerootca.key -CAcreateserial -out mysite.crt -days 60
*****UPDATE (Nov 28th): The following will let you add a Subject Alternative Name (SAN) to make the certificate acceptable current versions of Chrome which require the SAN field.
openssl x509 -req -in mysite.csr -CA fakerootca.crt -CAkey fakerootca.key -CAcreateserial -out mysite.crt -days 60 -extfile <(printf "subjectAltName=DNS:mysite.com")
The previous two steps generated the following files which we'll need in the next steps:
fakerootca.crt: The root CA's self-signed certificate, which goes in the browser's trust store
mysite.crt: Your site's certificate, which goes on the server
mysite.key: Your site's private key, which goes on the server
[TIP]: If you generate a certificate using www in the common name (i.e.,
www.[your site].com) then you must continue to use the 'www' prefix throughout the rest of the assignment, and vice versa. So be consistent. Setting up your website and certificates to accept connections to both
https://mysite.com requires a few additional steps, but you can skip them for this assignment.
fakerootca.crt in Chrome's trust store: Settings -> Show advanced settings -> HTTPS/SSL -> Manage Certificates -> Authorities -> Import -> fakerootca.crt
Now we need to move your site's key and certificate to a reasonable location and then secure them by setting proper permissions. First let's create two directories:
sudo mkdir /etc/apache2/tls
sudo mkdir /etc/apache2/tls/private
and give them the following permissions
sudo chmod 755 /etc/apache2/tls
sudo chmod 710 /etc/apache2/tls/private
Now we need to move your website's key and certificate to the appropriate directories:
sudo cp mysite.crt /etc/apache2/tls/
sudo cp mysite.key /etc/apache2/tls/private/
Now change the file permissions:
sudo chmod 755 /etc/apache2/tls/*.crt
sudo chmod 710 /etc/apache2/tls/private/*.key
If this last operation fails, switch into superuser mode:
sudo su (and don't forget to
exit when you're done)
Now we modify the system hosts file to capture requests to visit your website, and point them to localhost. Add the line
to the file
[hostname] is your website URL (e.g., www.mysite.com).
We can verify its correct installation by navigating to
localhost in a web browser. If successful, we'll see the "Apache 2 Ubuntu Default Page". Otherwise try
sudo service apache2 start.
If you ever want to stop apache type
sudo service apache2 stop
First enable the modssl TLS module by typing
sudo a2enmod ssl
sudo service apache2 restart
Let's setup a new website. Let
www.mysite.com denote the common name of your website. First let's create a directory to house our website:
sudo mkdir /var/www/www.mysite.com/public_html/
/var/www/www.mysite.com/public_html/ is your document root. In this directory make a default webpage
index.html that contains the following:
<html> <header><title>Assignment 3</title></header> <body> <h3>SE 4472 / ECE 9064</h3> <h2>Assignment 3</h2> Hello World! </body> </html>
Now we must create a configuration file. Copy the default config file to a new one for our site:
sudo cp /etc/apache2/sites-available/default-ssl.conf \ /etc/apache2/sites-available/www.mysite.com.conf
www.mysite.com.conf replace the following line:
DocumentRoot /var/www/www.mysite.com/public_html ServerName www.mysite.com:443 ServerAlias www.mysite.com:443
Now update set the paths to your certificate and key. Modify these placeholder paths to the certificate and key:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to point to your site's certificate and key:
SSLCertificateFile /etc/apache2/tls/mysite.crt SSLCertificateKeyFile /etc/apache2/tls/private/mysite.key
Now enable your site:
sudo a2ensite www.mysite.com.conf
and restart Apache:
sudo service apache2 restart
Open Chrome and visit
https://www.mysite.com and you should see the Hello World page and the green padlock! For more information about basic Apache setup check out this tutorial.